Evolving the Safe Browsing API

We're excited to announce the launch of the new Safe Browsing API version 4. Version 4 replaces the existing Safe Browsing API version 3. With the launch of v4, we’re now starting the deprecation process for v2-3: please transition off of these older Safe Browsing protocol versions as soon as possible and onto protocol version 4.

Safe Browsing protects well over two billion internet-connected devices from threats like malware and phishing, and has done so for over a decade. We launched v1 of the Safe Browsing API in 2007 to give developers a simple mechanism to access Google’s lists of suspected unsafe sites.

The web has evolved since then and users are now increasingly using the web from their mobile devices. These devices have constraints less common to traditional desktop computing environments: mobile devices have very limited power and network bandwidth, and often poor quality of service. Additionally, cellular data costs our users money, so we have a responsibility to use it judiciously.

With protocol version 4, we’ve optimized for this new environment with a clear focus on maximizing protection per bit, which benefits all Safe Browsing users, mobile and desktop alike. Version 4 clients can now define constraints such as geographic location, platform type, and data caps to use bandwidth and device resources as efficiently as possible. This allows us to function well within the much stricter mobile constraints without sacrificing protection.

We’ve been using the new protocol since December via the Safe Browsing client on Android, which is part of Google Play Services. The first app to use the client is Chrome, starting with version 46: we’re already protecting hundreds of millions of Android Chrome users by default.

We’ve Done Most Of The Work For You Already

A single device should only have a single, up-to-date instance of Safe Browsing data, so we’re taking care of that for all Android developers. Please don’t implement your own Version 4 client on Android: we’re working on making a simple, device-local API available to prevent any resource waste on device. We’ll announce the availability of this new device-local API as soon as possible; in the meantime, there’s no need to develop a Version 4 client on your own. For those who operate in less resource-constrained environments, using the Safe Browsing Version 4 API directly allows you to:

Check pages against the Safe Browsing lists based on platform and threat types.

Warn users before they click links that may lead to infected pages.

Prevent users from posting links to known infected pages

To make Safe Browsing integration as simple as possible, we’re also releasing a reference client implementation of the new API today, written in Go. It also provides a Safe Browsing HTTP proxy server, which supports JSON.